Christ Church Policy on Data Protection

1. Purpose and scope

This policy provides a framework for ensuring that Christ Church meets its obligations under UK data protection law. It applies to all processing of personal data carried out for a college or cathedral or school purpose, irrespective of whether the data is processed on non-Christ Church equipment or by third parties.

‘Personal data’ means any information relating to an identifiable living individual who can be identified from that data or associated data. ‘Processing’ means anything that is done with personal data including collection, storage, use, disclosure, and deletion.

More stringent conditions apply to the processing of special category personal data.

‘Special category’ means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.  It also concerns the processing of genetic data, biometric data for the purpose of uniquely identifying an individual, health data, and data on an individual’s sex life or sexual orientation.

This policy should be read in conjunction with the accompanying guidance which provides further detail and advice on practical application, as well as any other documents that impose confidentiality or data management obligations in respect of information held by Christ Church.

This policy does not cover the use of personal data by members of Christ Church when acting in a private or non-Christ Church capacity.

‘Staff’ should be taken to mean all staff whether academic, academic-related, or non-academic, full-and part-time, or teaching contractors, and includes those undertaking work experience and interns.

2. Background

The processing of personal data underpins almost everything that Christ Church does.  Without it, for example, students cannot be admitted or taught, staff cannot be recruited or paid, living individuals cannot be researched, and events cannot be organised for alumni or visitors.

Christ Church is responsible for handling people’s most personal information.  By not handling personal data properly, we could put individuals at risk.

There are also legal, financial, and reputational risks for Christ Church.

3. Principles

The processing of personal data must comply with data privacy law and, in particular, the six data privacy principles which require that personal data is:

  • processed fairly, lawfully, and in a transparent manner;
  • used only for limited, specified stated purposes, and not used or disclosed in any way incompatible with those purposes;
  • adequate, relevant, and limited to what is necessary;
  • accurate and, where necessary, up-to-date;
  • not kept for longer than necessary; and
  • kept safe and secure.

The additional umbrella principle of accountability requires us to be able to show compliance with these principles.

4. Aims and commitments

Christ Church handles a large amount of personal data and takes seriously its responsibilities under data protection law.  It recognises that the mishandling of an individual’s personal data may case them distress or put them at risk of identity fraud or simply compromise the right to privacy.  Consequently, Christ Church is committed to:

  • complying fully with data privacy law;
  • where practicable, adhering to good practice, as issued by the Information Commissioner’s Office or other appropriate bodies; and
  • handling an individual’s personal data in a careful and considerate manner that recognises the importance of such data to their privacy and welfare.

Christ Church seeks to achieve these aims by:

  • ensuring that staff, students, and other individuals who process data for college, cathedral and school purposes are made aware of their individual responsibilities under data protection law and how these apply to their areas of work;
  • providing suitable training, guidance, and advice.  Bespoke in-house training may be supplemented by the University’s online training course on data privacy and information security;
  • incorporating data protection requirements into administrative procedures where these involve the processing of personal data, particularly in relation to major information systems (the concept of ‘privacy by design’); 
  • operating a centrally-co-ordinated procedure (in order to ensure consistency) for the processing of subject access and other rights-based requests made by individuals; and

investigating promptly any suspected breach of data privacy law; reporting it, when necessary, to the ICO; and seeking to learn any lessons from incidents to reduce the risk of reoccurrence.

5. Roles and responsibilities

Governing Body

Governing Body, as the Data Controller, has responsibility for ensuring that Christ Church complies with data protection law.

Data Protection Officer (DPO)

The DPO is responsible for monitoring internal compliance, advising on Christ Church’s data protection responsibilities, and acting as the point of contact for individuals and for the ICO.

Data Protection Compliance Manager (DPCM)

The DPCM is responsible for the day-to-day administration of and compliance with data protection law on behalf of, and answering to, the DPO.  Tasks include (but are not limited to):

  • the training of new and existing staff (both academic and non-academic) so that they are aware of their data protection responsibilities;
  • ensuring that records of processing activities are maintained and up-to-date;
  • undertaking data protection and legitimate interest impact assessments when necessary;
  • ensuring that privacy notices are up-to-date and accurate;
  • advising on data protection issues;
  • assisting the DPO as appropriate and when requested.

All staff

Anyone who processes personal data for a Christ Church purpose is individually responsible for complying with data protection law and this policy.  Staff must ensure that they:

  • only use personal data in ways individuals would reasonably expect and only for the purposes for which it was collected;
  • use a minimum amount of personal data and hold it only for as long as is strictly necessary;
  • keep personal data up-to-date;
  • keep personal data secure, in accordance with Christ Church’s Information Security Policy 
  • do not disclose personal data to unauthorised persons, whether inside or outside Christ Church and the University;
  • complete relevant training as required;
  • report promptly any suspected breaches of data protection law, in accordance with the procedure set out below, and following any recommended next steps;
  • seek advice from the DPO and/or the DPCM when or if they are unsure how to comply with data protection law; and
  • promptly respond to any requests from the DPO/DPCM in connection with subject access and other rights-based requests and complaints (and forward any such requests that are received to the DPO/DPCM promptly).

6. Breaches of data privacy law

Christ Church will investigate incidents involving a possible breach of data protection law in order to ensure that, when necessary, appropriate action is taken to mitigate the consequences and prevent a repetition of similar incidents in the future. Depending on the nature and severity of an incident, it may also be necessary to notify individuals affected by the breach, the Information Commissioner’s Office, and the Charity Commission.

A breach will occur when, for example, personal data is disclosed or made available to unauthorised persons or personal data is used in a way that the data subject does not expect, whether unintentional or deliberate.

All incidents should be reported to the DPO/DPCM at the earliest opportunity, and within 72 hours of discovery.   The completion of a data breach form will be required to enable an assessment of the breach and a decision concerning reporting to be made.

The ICO has the power to impose significant fines if a breach of data protection law results in a serious breach which materially affects an individual’s rights relating to data privacy.

7. Compliance

Christ Church regards any breach of data privacy law, or this policy, as a serious matter which may result in disciplinary action.  Depending on the nature of the breach, an individual (not just the corporate body) may be found to be personally liable.  Breaches may be a criminal offence if personal data is disclosed unlawfully.

It is proposed that there be a termly ‘Data Protection Day’ to allow all staff who process personal data to spend a day or a portion of a day, without penalty or interruption, to check that procedures are being correctly followed, data is up-to-date and/or deleted as appropriate, and email folders cleaned.  (This will not have to be the same day for all departments.) There will also be a drop-in advice session on the same day.

By law, it is mandatory that all staff who handle personal data undergo training annually (in most cases this will involve completion of the OU Information Compliance Team’s test in January) and that all new staff (as above; ¶ 1) be trained on arrival before handling any personal data (by undertaking the test as above and reading any material provided by the Christ Church data protection team).

All contracts, with staff, and with external contractors (when necessary), should include an obligation to adhere to the data protection policy.

8. Further information

Advice on data protection issues can be obtained in the first instance from the DPO and/or the DPCM. Advice concerning information security can be obtained from SocIT [Shared Oxford Colleges Information Technology group].

9. Review and development

This policy and supporting guidance will apply from 22 May 2024.  It will be reviewed and approved annually by the Data Protection Working Group, at its meeting in Michaelmas term, and by Governing Body, at its second meeting in Michaelmas term.